Please note: this post is incomplete & pending review.
A1 – Broken Authentication
A bit of a short post here, but basically login systems need to be rock solid, luckily for us in the WordPress world we have a solid system in place that has been growing and well maintained for 15 years:
WordPress core software manages user accounts and authentication and details such as the user ID, name, and password are managed on the server-side, as well as the authentication cookies. Passwords are protected in the database using standard salting and stretching techniques. Existing sessions are destroyed upon logout for versions of WordPress after 4.0